mirror of
https://github.com/plantroon/acme.sh.git
synced 2024-12-22 13:11:41 +00:00
Chain (#3408)
* fix https://github.com/acmesh-official/acme.sh/issues/3384 match the issuer to the root CA cert subject * fix format * fix https://github.com/acmesh-official/acme.sh/issues/3384 * remove the alt files. https://github.com/acmesh-official/acme.sh/issues/3384
This commit is contained in:
parent
016dca654e
commit
ac148ce0e9
58
acme.sh
58
acme.sh
@ -4009,12 +4009,42 @@ _check_dns_entries() {
|
||||
}
|
||||
|
||||
#file
|
||||
_get_cert_issuers() {
|
||||
_get_chain_issuers() {
|
||||
_cfile="$1"
|
||||
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
||||
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
else
|
||||
${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
_cindex=1
|
||||
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
||||
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
||||
_debug2 "_startn" "$_startn"
|
||||
_debug2 "_endn" "$_endn"
|
||||
if [ "$DEBUG" ]; then
|
||||
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
||||
fi
|
||||
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
||||
_cindex=$(_math $_cindex + 1)
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
_get_chain_subjects() {
|
||||
_cfile="$1"
|
||||
if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
|
||||
${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
|
||||
else
|
||||
_cindex=1
|
||||
for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
|
||||
_endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
|
||||
_debug2 "_startn" "$_startn"
|
||||
_debug2 "_endn" "$_endn"
|
||||
if [ "$DEBUG" ]; then
|
||||
_debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
|
||||
fi
|
||||
sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
|
||||
_cindex=$(_math $_cindex + 1)
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
@ -4022,14 +4052,12 @@ _get_cert_issuers() {
|
||||
_match_issuer() {
|
||||
_cfile="$1"
|
||||
_missuer="$2"
|
||||
_fissuers="$(_get_cert_issuers $_cfile)"
|
||||
_fissuers="$(_get_chain_issuers $_cfile)"
|
||||
_debug2 _fissuers "$_fissuers"
|
||||
if _contains "$_fissuers" "$_missuer"; then
|
||||
return 0
|
||||
fi
|
||||
_fissuers="$(echo "$_fissuers" | _lower_case)"
|
||||
_rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
|
||||
_debug2 _rootissuer "$_rootissuer"
|
||||
_missuer="$(echo "$_missuer" | _lower_case)"
|
||||
_contains "$_fissuers" "$_missuer"
|
||||
_contains "$_rootissuer" "$_missuer"
|
||||
}
|
||||
|
||||
#webroot, domain domainlist keylength
|
||||
@ -4803,6 +4831,9 @@ $_authorizations_map"
|
||||
_split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
|
||||
|
||||
if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
|
||||
if [ "$DEBUG" ]; then
|
||||
_debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
|
||||
fi
|
||||
if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
|
||||
rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
|
||||
_debug2 "rels" "$rels"
|
||||
@ -4818,13 +4849,22 @@ $_authorizations_map"
|
||||
_relca="$CA_CERT_PATH.alt"
|
||||
echo "$response" >"$_relcert"
|
||||
_split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
|
||||
if [ "$DEBUG" ]; then
|
||||
_debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
|
||||
fi
|
||||
if _match_issuer "$_relfullchain" "$_preferred_chain"; then
|
||||
_info "Matched issuer in: $rel"
|
||||
cat $_relcert >"$CERT_PATH"
|
||||
cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
|
||||
cat $_relca >"$CA_CERT_PATH"
|
||||
rm -f "$_relcert"
|
||||
rm -f "$_relfullchain"
|
||||
rm -f "$_relca"
|
||||
break
|
||||
fi
|
||||
rm -f "$_relcert"
|
||||
rm -f "$_relfullchain"
|
||||
rm -f "$_relca"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user